Skip to content
Documentation | Universal Foundry

Connecting to AWS

BuildGraph has an element type, AWS-AssumeRole which allows BuildGraph to execute commands using the AWS element as a role you define and control within your AWS environment.

You can read about BuildGraph’s AWS integration here: https://dev.epicgames.com/documentation/en-us/unreal-engine/buildgraph-script-tasks-reference-for-unreal-engine#aws

Assuming AWS roles across AWS accounts requires both sides of the relationship to establish trust with the other side, and grant sts:AssumeRole permissions.

On the Universal Foundry side we use your AWS account ID to allow your Horde agents to assume roles in your AWS account.

1. Universal Foundry Configuration

Section titled “1. Universal Foundry Configuration”

On the settings page, scroll down to “AWS Assume Role” and enter your AWS account ID.

2. AWS Configuration

Section titled “2. AWS Configuration”

On your side you need to give the Horde Agent Role permission to assume the role. To do so include the following statement in the trust relationship for your AWS role. Trust relationships are sometimes referred to as the “assume role policy”, or “trust policy”.

The value of the AWS key should be the value found in “UF Role ARN to Trust” in your settings page.

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "<UF Role ARN to Trust from UF Settings Page>"
  },
  "Action": "sts:AssumeRole"
}

For example a complete trust policy that only allows the role to be used by the Universal Foundry Horde agent would look like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<’UF Role ARN to Trust from UF Settings Page>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

3. BuildGraph

Section titled “3. BuildGraph”

Here is an example showing how to use a cross-account role in Horde.

This example assumes a role then uses the AWS CLI sts get-caller-identity command to show that the role has been assumed.

<Node Name="Assume Cross-account Role Example">
  <Property Name="AssumeRoleCredsFile" Value="tmp\aws-creds.txt" />
  <Aws-AssumeRole Arn="arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_ROLE" Session="uf-horde-example" OutputFile="$(AssumeRoleCredsFile)" />
  <Aws EnvironmentFile="$(AssumeRoleCredsFile)" Arguments="sts get-caller-identity" LogOutput="true" />
  <Delete Files="$(AssumeRoleCredsFile)" />
</Node>